Overview

CryptoLocker and CryptoWall are a form of malware that encrypts files on your computer and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, you can use CrashPlan to restore your files from a date and time prior to the infection. This article describes how to use CrashPlan to recover your files from a CryptoLocker or CryptoWall attack.

Affects

Known to affect Windows computers

Attacks files on any storage connected to an infected computer, including flash drives, external drives, or mapped network drives

How CrashPlan can help you recover from CryptoLocker or Cryptowall

Code42 has always believed that comprehensive version retention of files is essential to a good backup. That's why CrashPlan's default frequency and version settings let you restore files from a date and time in the past. If your computer becomes infected by CryptoLocker or CryptoWall, this enables you to restore your files from a date and time prior to the infection. To check how frequently versions of your files are backed up:

Open the CrashPlan app

Go to Settings > Backup

Click Configure for frequency and versions

Frequency and version settings
Your version settings must allow backups frequently enough to give you a range of dates from which to choose should your computer become infected. If your frequency and version settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall. At a minimum, we recommend the default settings shown below.

Before you begin

The recommended solution below instructs you to restore files from a date before your computer was infected. If you do not know the precise date of infection, you can do a test restore on several infected files to determine the date of infection.

If there are multiple computers on your account, select the infected computer

If you are backing up to multiple destinations, choose the destination from which you want to restore in the backup destination list

Click most recent to open the options for restoring from a previous date and time

Select a date and time that you believe is close to the time of infection

Select an infected file from the list of files

Click Restore

Open the file

If you are able to open the file, then you know that your computer was not yet infected on the date and time you selected. If the restored file is encrypted, repeat the steps above and select an earlier date and time.

Time of infection
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your computer and your files. You may want to test several files to further isolate the date and time of infection.

Recommended solution

If your computer is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.

Step 1: Remove the CryptoLocker or Cryptowall infection

If you have not already done so, the first step is to remove the infection from the affected computer. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.

Note: Code42 Customer Champions cannot help you remove CryptoLocker or CryptoWall from your computer. Consult a computer specialist if you have additional questions about removing the infection.

Removing infected files
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.